(Source: Public email advisory from Symantec/Norton regarding the Heartbleed OpenSSL Bug, 18 April 2014)
You’ve likely heard of Heartbleed over the past week. We wanted to share a bit about what it is, steps we have taken to protect our customers and steps you can take to protect yourself across the Web.
Some versions of Norton AntiVirus, Norton Internet Security and Norton 360 were impacted. On April 10th, we distributed updates to these impacted products to stop and block Heartbleed. Norton Accounts used to sign into Norton.com were not impacted. Please refer to our FAQ for more information on how we’re defending against this vulnerability.
Why Heartbleed affects everyone on the Internet
Heartbleed is a bug in some versions of OpenSSL, a set of software tools used widely across the Web for security. This bug may reveal your name, passwords and other private information.
If you visited a website that uses a vulnerable version of OpenSSL during the last two years, your personal information may be compromised. You can use this tool: http://safeweb.norton.com/heartbleed to check if a particular website is currently impacted.
How to protect yourself
Due of the complex nature of this vulnerability, changing your passwords before sites update their version of OpenSSL won’t fully protect you. Here are some simple steps you can take as a precaution:
- Change your passwords on any website that contains sensitive information about you. You should first confirm that the site does not contain the Heartbleed vulnerability by using this tool.
- If you’ve reused passwords on multiple sites, it’s especially important to change them. To change your Norton Account password, visit manage.norton.com and click Account Information.
- Beware of phishing emails and type website addresses directly in your browser instead of clicking on a link through an email.
- Monitor your bank and credit card accounts for unusual activity.
It may take an extended period of time for all the sites affected by Heartbleed to fix this vulnerability. To determine if a website is vulnerable to Heartbleed using this tool. We recommend you only exchange personal or sensitive information such as your credit card number if the site is not affected by Heartbleed.
You can learn more about Heartbleed and its impact to consumers by checking out our FAQ or by following the Norton Protection Blog.
Stay Safe Online
Early Advisory, 9-11 April 2014
(Source: Symantec.com, 9-11 April 2014)
Heartbleed Bug: What You Need to Know and Security Tips
What is Heartbleed? Symantec is continuing to track this OpenSSL bug discovered recently and its implications for consumers. Symantec has created a site devoted to Heartbleed for further information.
Watch to learn more:
“Heartbleed” a name that security researchers have given to a serious bug found in a very common piece of software used by many websites. The software in question is called OpenSSL and is used to encrypt the information that you send to and from websites, such as your login name and password or other sensitive information. You can usually recognize when websites encrypt information when you see a little closed padlock near the address of the website in your browser.
Unfortunately there are many different software implementations used to implement this encryption and there is no easy way to know whether or not a given website is running the particular version of OpenSSL that this bug is present in. We believe most large websites reacted quickly to the news of the ‘heartbleed’ bug and fixed it, however it will likely take a very long time for every website to do so.
Here are some tips to keep in mind over the coming weeks and months to help ensure the safety of your sensitive information as you surf and interact online:
- Do not use the same user name and password across multiple sites. Why so? Well think of your password as being a like a door key. In life in general it would be really convenient if we could all use one single key to open every door in our lives… our house, our car, our office etc. Our key-chains would be nice and compact. However, losing that one key to a criminal would also mean that they could potentially freely access every door in your life. Using the same user name and password for every website you use is the online equivalent of having the same key for every door. So although the large websites you use likely reacted to the ‘heartbleed’ bug very quickly, smaller ones may not have, and if you used the same username and password, then if a smaller website you use is compromised that same username and password might be used on one of the larger websites, even if they have already fixed the bug. If you need to access many websites, as most of us do these days, we recommend using a software password manager. Here is a link to ours: Norton Identity Safe, but there are many others on the market today too.
- Make sure you avoid simple passwords. Use a combination of upper and lower case letter with a few numbers sprinkled in is a good start. Also the longer the better a password is. Here is a link to a password generator that you might find useful.
- Be especially on the watchout for scams. News like that of ‘heartbleed’ is music to a scammer’s ears. They take advantage of events like this by sending out fake email messages asking unsuspecting users to ‘change your password because of the heartbleed bug’. Such messages are known as phishing messages. They can be very hard to spot. Although Norton products are good a detecting and blocking them if you do get a message asking you to reset a password, we recommend that you don’t click on any of the links in the email but rather navigate yourself to the website by typing the address into your browser by hand.
- Keep an eye on your sensitive online accounts. It’s always a good practice to to this anyway, but particularly now, pay special attention to online accounts (banks, email etc), as well as bank and credit card statements to check for any unusual transactions.
Finally, if you are looking for something a little more technical on the background to this bug, we’ve got a lot more detail in a blog entry written up by one of our security researchers here: Heartbleed Bug Poses Serious Threat to Unpatched Servers (below).
Early Advisory 9 April 2014
(Source: “Heartbleed Bug Poses Serious Threat to Unpatched Servers,” Symantec, 9 April 2014)
A newly discovered vulnerability in OpenSSL, one of the most commonly used implementations of the SSL and TLS cryptographic protocols, presents an immediate and serious danger to any unpatched server. The bug, known as Heartbleed, allows attackers to intercept secure communications and steal sensitive information such as login credentials, personal data, or even decryption keys.
Heartbleed, or the OpenSSL TLS ‘heartbeat’ Extension Information Disclosure Vulnerability (CVE-2014-0160), affects a component of OpenSSL known as Heartbeat. OpenSSL is one of the most widely used, open source implementations of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.
Heartbeat is an extension to the TLS protocol that allows a TLS session to be kept alive, even if no real communication has occurred for some time. The feature will verify that both computers are still connected and available for communication. It also saves the user the trouble of having to reenter their credentials to establish another secure connection if the original connection is dropped.
How does it work? Heartbeat sends a message to the OpenSSL server, which in turn relays that message back to the sender, verifying the connection. The message contains two components, a packet of data known as the payload which can be up to 64KB and information on the size of the payload.
However, the Heartbleed vulnerability in OpenSSL allows an attacker to spoof the information on the payload size. For example, they could send a payload of just one kilobyte in size, but state that it is 64KB.
How an OpenSSL server deals with this malformed Heartbeat message is key to the danger this vulnerability poses. It does not attempt to verify that the payload is the same size as stated by the message. Instead it assumes that the payload is the correct size and attempts to send it back to the computer it came from. However, since it doesn’t have the full 64KB of data it will instead automatically “pad out” the payload with data stored next to it in the application’s memory. If the server received a 1KB payload, it will thus send it back along with 63KB of other data stored in its memory. This could include the login credentials of a user, personal data, or even, in some cases, session and private encryption keys.
The data the application sends back is random and it is possible that the attacker may receive some incomplete or useless pieces of data. However, the nature of the vulnerability means that the attack can be performed again and again, meaning the attacker can build a bigger picture of the data stored by the application over time.
Private encryption keys may be the most difficult thing to steal using this attack. Data is stored in a sequential fashion, with new data stored in front of older data. Encryption keys will usually be stored “behind” the payload in memory, meaning they are less likely to be accessed. Content from current SSL/TLS sessions is the type of data most likely to be at risk.
The Heartbleed bug is the latest in a series of SSL/TLS vulnerabilities uncovered this year. TLS and its older predecessor SSL are both secure protocols for Internet communication and work by encrypting traffic between two computers.
In February, Apple had to patch two critical vulnerabilities affecting SSL in its software. It first issued an update for its mobile operating system iOS, which patched a flaw that enabled an attacker with a privileged network position to capture or modify data in sessions protected by SSL/TLS. Days later, a second update was issued, this time for its desktop operating system OS X, after it was discovered that the same vulnerability also affected it.
In March, a certificate vulnerability was found in security library GnuTLS, which is used in a large number of Linux versions, including Red Hat desktop and server products, and Ubuntu and Debian distributions of the operating system.
GnuTLS is an open source software implementation of SSL/TLS. The bug meant that GnuTLS failed to correctly handle some errors that could occur when verifying a security certificate. This could allow an attacker to use a specially crafted certificate to trick GnuTLS into trusting a malicious website. The vulnerability was immediately patched by GnuTLS.
Heartbleed is by far the most serious vulnerability in SSL/TLS to be uncovered of late. The nature of the bug and the fact that affects one of the most widely used implementations of SSL/TLS means that it poses an immediate risk.
Advice for businesses:
- This is a vulnerability of the OpenSSL library, and not a flaw with SSL/TLS nor certificates issued by Symantec.
- Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension
- After moving to a fixed version of OpenSSL, if you believe your web server certificates may have been compromised or stolen as a result of exploitation, contact the certificate authority for a replacement
- Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory
Advice for consumers:
- You should be aware that your data could have been seen by a third party if you used a vulnerable service provider
- Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated customers that they should change their passwords, users should do so
- Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
- Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability
- Monitor your bank and credit card statements to check for any unusual transactions
UPDATE April 10, 2014: Symantec’s SSL Tools Certificate Checker will check whether a website is vulnerable to exploitation. You can access the Certificate Checker at the following location: https://ssltools.websecurity.symantec.com/checker/
To use the Certificate Checker, click on Check your cerftificate installation and then enter your website URL.
The maps below show recent visitors to this page. Click an image for a larger gallery view.